Navigating health reform
Monetary Fines Expected in Upcoming HIPAA Audits
Update 7/15/2016: Final participants for HIPAA Phase II audits were selected and notified by email on July 11, 2016. Selected organizations should have received an email from OSOCRAudit@hhs.gov. Since this address may not be a “trusted source,” this notification may be filed as junk or SPAM mail, so it is imperative to check all email folders. Upon verification of contact information, a notification letter will be sent that provides instructions, a timeline, and a unique link for the secure upload of all documents requested. An additional email will be sent requesting a list of business associates. The first round of audits will either focus on HIPAA privacy/breach requirements or the security rule; participants will supply policies related to these HIPAA components as requested. The deadline for returning this information is July 22, 2016. For further information, please visit http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/.
Update 11/6/2015: In May 2015, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) sent pre-audit screening surveys to selected covered entities as required by the Health Information Technology for Economic and Clinical Health Act (HITECH). This created a pool of covered entities and related business associates that may be selected for the Phase 2 audits.
CLA recommends taking steps to prepare your organization in case it is selected for an audit. Some of these steps include:
- Evaluating current action plans to determine that identified risks either have been mitigated or corrective plans are in place
- Workforce training regarding:
- Password requirements
- Login requirements
- Instructions on how to prevent malware
- Security/privacy officer contact information
- Determining that your Notice of Privacy Practices have been updated since 2013 and that the updates are reflected on your website
With the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, the Office of Civil Rights (OCR) established a formal process to perform periodic audits of covered entities. It instituted an audit program designed to identify noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) and additional HITECH requirements. The audit provision was enacted in two phases; the first phase or “pilot program” was completed in 2012, and the second phase will begin in late 2014.
Phase 1 audits
During the pilot program, audits were performed onsite using contractors and were not intended to be used for enforcement purposes. The most significant compliance findings from Phase 1 centered on the following areas:
- Incomplete or inaccurate risk assessments (noted in 66 percent of the audited entities)
- Incomplete HIPAA security policies and procedures, specifically those not addressing media movement and disposal
- Inadequate audit and monitoring controls over user access
- Outdated Notice of Privacy policies
- Inadequate staff training regarding the requirements of HIPAA security and privacy laws
Phase 2 audits may result in monetary penalties
The second phase of the program differs substantially from the first phase because OCR will use internally trained staff members to perform desk reviews instead of the contractors that performed pilot program site visits. We believe the OCR auditors will receive significant training to perform these audits and they will have a narrower focus than the pilot program.
OCR will soon request that 550 – 800 covered entities complete a screening survey. The results will provide the necessary information to select auditees. Approximately 350 entities (and their business associates) will be chosen for a compliance audit. Based on our research, the audits will probably center on the internal or external security risk analysis (and associated risk mitigation), Privacy Rule patient notice, access requirements, and timeliness of breach notifications. Due to the significant findings from the Phase 1 audits, there will be requests for documentation of the organizations’ periodic risk analysis and formal risk management program.
Each entity, upon receipt of an audit notification, will have two weeks to provide the necessary data requested by OCR. This will not be sufficient time to implement changes or updates, such as performing a security risk analysis, updating policies and procedures (and training the workforce on the changes), or performing a vulnerability test. OCR has been clear there will not be an opportunity to clarify the information sent, so now is the time to mitigate your risk, tighten technological safeguards, and train your workforce.
Taking a proactive approach will prepare your organization for a potential Phase 2 audit. Unlike the pilot program, adverse findings in these audits may result in civil monetary penalties or resolution agreements. Penalties range from $100 per violation up to a maximum of $50,000 per violation. The total penalty amount for repeat violations has been capped at $1.5 million, but we’ve seen settlement arrangements range upwards of $4 million.
How we can help
Now is the time to ensure your HIPAA privacy and security compliance program is up to date. We will compare the HIPAA security and privacy rules to your current control environment to identify gaps within the security infrastructure. We can provide an independent security risk analysis or breach risk assessment, and rank our findings to help you prioritize the necessary improvements.
We offer the following security, privacy assessment, and consulting services:
- HIPAA security risk analysis
- Privacy, breach, and security assessment
- External network penetration testing
- Web and application penetration testing
- Internal network penetration testing and vulnerability assessment
- Wireless assessment
Evaluating and strengthening your compliance program will give you a strategy to reduce not only the risk related to a compliance audit, but protect the organization from outside threats.